Just as Amazon stores millions of physical goods in a dizzying array of warehouses, Amazon Web Services hosts vast amounts of data for other companies that rent space on its servers. Among its customers was Capital One.
In early 2019, several years after she stopped working for Amazon Web Services, Ms. Thompson searched for its customers who had not properly set up firewalls to protect their data. “Thompson scanned tens of millions of AWS customers looking for vulnerabilities,” Mr. Brown wrote in a legal filing. By March, she had discovered a vulnerability that allowed her to download data from Capital One, the prosecutor added.
In June 2019, Ms. Thompson sent online messages to a woman and disclosed what she had found, legal filings said. Ms. Thompson added she had considered sharing the data with a scammer, and said she would publicly reveal her involvement in the breach.
“I’ve basically strapped myself with a bomb vest,” Ms. Thompson said in copies of the online chat that were included in court records, referring to her plan to publicly release the data and expose herself.
The woman suggested that Ms. Thompson turn herself in to the authorities, prosecutors said. A month later, the woman contacted Capital One and told the bank about the breach. Capital One informed law enforcement officials, and Ms. Thompson was arrested in late July 2019. If convicted, she could face more than 30 years in prison.
“The snapshots submitted by the government are an incomplete and inaccurate portrayal of a life more fairly described as one of survival and resilience,” Mohammad Ali Hamoudi, a lawyer representing Ms. Thompson, and other members of her legal team wrote in a filing. Ms. Thompson had sought mental health treatment, they added, demonstrating her resolve to confront her problems.
In 2020, Capital One agreed to pay $80 million to settle claims from federal bank regulators that it lacked the security protocols needed to protect customers’ data. The settlement also required the bank to work quickly to improve its security. In December, Capital One agreed to pay $190 million to people whose data had been exposed in the breach, settling a class-action lawsuit.